The present invention relates to a system and method for recognising traffic generated from an authenticated device roaming in a wireless local area network and related aspects. In particular, but not exclusively, the invention relates to a method of determining if traffic having a network address translated (NAT) Internet Protocol (IP) source address comprises traffic generated by a device authorised to use a roaming communications service accessed via a wireless local area network and to related aspects.
Some wireless local area network access points, for example, the network access point device marketed by British Telecommunications plc as the HomeHub™, are arranged to support networks with different Service Set IDentifers (SSIDs). This enables traffic separation between guest users' devices within the area of the wireless network connectivity offered by the access point to the internet and a service subscriber's devices which also use the same access point to access the internet.
One benefit of sharing the wireless network coverage in this way to the service provider is that a wide area network is created without the installation costs and associated maintenance costs being the responsibility of the service provider. The configuration of the access points to provide such shared access with guest users is encouraged as the service subscriber for any particular internet service using the access point is then able to participate in the scheme and so also benefit from the roaming service that the shared access rights support.
However, unsolicited use of a registered user's wireless local area network (WLAN) has several implications. For example, the level of guest traffic should not prevent the service subscriber from having access to the internet which meets certain service level conditions. Use of the roaming service may need to be monitored, for example, to support only authenticated users enjoying the roaming rights, and also to monitor the type of use being made of such networks by guest users.
Distinguishing use of the access point by a device registered to a service subscriber associated with that access point and use of the network the access point provides by a device associated with guest or roaming users is particularly important for monitoring malicious, abusive, illegal or anti-social purposes, including for example, usage of interest from a national security perspective. Traffic separation schemes are known in the art which distinguish the use of the access point by ensuring a service subscriber's use of an access point is associated with a separate network SSID from the SSID of the wireless LAN the access point provides for ad hoc use by guests.
For example, the International Patent Application having the publication number WO2009/022052 entitled “Network Access for a Visiting User” describes how a visitor's device can request a network address (for example, an IP address) using a suitable protocol (e.g. the Dynamic Host Configuration Protocol) from an access point which issues an IP address to the visitor's device. When the terminal attempts to communicate with the internet (e.g. tries to open a connection to a WWW service) the base station opens a VPN tunnel automatically from the user's point of view, whereby all of the visitor's traffic is automatically routed through a VPN hub to a captive portal. The captive portal intercepts all transmitted packets and redirects the connection through to a login page (i.e., the captive portal opens a login page on the visitor's device) and does not allow the customer's traffic to propagate further before login.
The United States Patent Application having the publication number US2007/0268914 entitled “Tenant Network Controller Apparatus and Method” describes a LAN controller which can associate a MAC address with a geographic location.
The United States Patent Application having the publication number US2008/0200148 entitled “Method and System for Providing Network Access and Services using Access Codes” describes an authorization and access control system for a venue or a geographic region comprising a plurality of venues.
The European Patent Application having the publication number EP1850532 entitled “Method of providing a guest terminal with emergency access over a WLAN” describes providing an emergency SSID to allow access to a LAN in an emergency.
The United States Patent having the publication number U.S. Pat. No. 7,630,401 entitled “Bandwidth Management in a Network” describes how the transmission rate of a network device can be adjusted based on the network bandwidth utilisation.
The United States Patent Application having the publication number US2008/0117836 entitled “Methods and apparatus to manage bandwidth in a wireless network” describes a wireless network access point supports both a private SSID and a public SSID which has a policy interface which enables the setting of a permissible public bandwidth on the public SSID and a bandwidth allocator to control usage of the permissible public bandwidth.
The United States Patent Application having the publication number US2009/0201946 entitled “Dynamic DSL Line Bandwidth Management with the Subscriber's Consent” describes how bandwidth can be borrowed from non-critical subscriber services to meet the increased bandwidth of other subscriber services.
The United States Patent Application having the publication number US2008/0008140 entitled “Conditional Utilization of Private Short-Range Wireless Networks for Service Provision and Mobility” describes how a private short-range network can be integrated into a service/mobility domain.
The United States Patent Application having the publication number US2008/0144588 entitled “Method and Apparatus of Prioritizing Services of Wireless Local Area Network” describes how an access point which may send a beacon with two SSIDs, one for guests and one for the subscriber, and how the traffic associated with each SSID can be assigned differing priorities.
The United States Patent Application having the publication number US2006/0117104 entitled “Setting Information Distribution Apparatus, Method, Program, and Medium, Authentication Setting Transfer Apparatus, Method, Program, and Medium, and Setting information Reception Program” describes how a SAML message is used to tell a security device what a client device's current source address is.
The United States Patent Application having the publication number US2009/0129386 entitled “Operator Shop Selection” describes how an access node for an Ethernet network is connected between an access point for user devices and a Broadband Remote Access Server (BRAS) for access to a plurality of service providing networks which includes a Virtual Local Area Network (VLAN) handling unit. This patent application describes a number of schemes for enabling a user to access one of a range of possible broadband services by using extended network address indicators. Various schemes for acquiring IP addresses are described, however, whilst NAT is recognised as a problem in US2009/0129386, the situations contemplated are different in that the public IP address of traffic to be authorised for using the each service provided by an operator is the address which is first allocated, and the invention considers how this address space can be reused if NAT occurs between the allocation point and the client device.
Embodiments of the invention generally seek to obviate or mitigate limitations associated with the use of known systems, particularly those which require authentication in the broadband access service provider's domain, by providing a system for authorising roaming device generated traffic for onwards transmission in a communications system which deals with NAT in a different manner. The system is arranged to enable an authorisation server to remotely learn if traffic which has undergone NAT translation is associated with a device previously authenticated as one authorised to use the roaming service. The server receives messages and, if the message is recognised as a special meta-data type of message which requires the source address field to be examined, the IP address found in the source address (SA) field of the message can be associated with a device identifiable using the meta-data carried in the message payload. This message is generated by the access point used by the device so that the IP SA of the message from the access point undergoes the same NAT translation as that of the IP SA of packets genuinely generated by the authenticated device. In this way, a service selection gateway can be configured to automatically forward traffic received from the roaming device when this is subsequently generated which is received with the recognised IP address without referral to the authentication system or to the NAT server.